Cyble Sensor Intelligence: Attacks, Phishing Scams and Brute-Force Detections

Key Takeaways

• Five exploits of recent vulnerabilities were detected by Cyble honeypot sensors this week.
• A 9.8-severity PHP flaw identified in June remains under widespread attack, and organizations are urged to upgrade as soon as possible.
• Cyble researchers also identified 9 phishing scams, a number of very active brute-force attack networks, and the most commonly targeted ports.
• Security teams are advised to use the information provided to harden defenses

Overview

The Cyble Global Sensor Intelligence Network, or CGSI, monitors and captures real-time attack data through Cyble’s network of Honeypot sensors. This week, Cyble’s Threat Hunting service discovered and investigated dozens of exploit attempts, malware intrusions, financial fraud, and brute-force attacks. 

The full report is available to subscribers; here we’ll cover a number of important attacks and exploits that security teams need to be aware of, plus Cyble investigations into phishing campaigns and brute force attacks. The report covers the week of Sept. 11-Sept. 17.

Attack Case Studies

The Cyble Sensor Intelligence report examined 18 attacks in all; here are five that stand out.

CVE-2024-7954: Arbitrary Code Execution Vulnerability in SPIP’s Porte Plume Plugin

CVE-2024-7954 affects the porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, and allows remote unauthenticated attackers to ecute arbitrary PHP code by sending a specially crafted HTTP request. Users should upgrade to patched versions to mitigate this vulnerability.

CVE-2024-7120: OS Command Injection Vulnerability in Raisecom MSG Devices

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-4577: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a critical PHP vulnerability that impacts CGI configurations. It enables attackers to execute arbitrary commands through specially crafted URL parameters. Given PHP’s importance and wide use, impacted organizations must upgrade to a more secure PHP version as soon as possible.

CVE-2024-36401: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a critical RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, though it may impact functionality.

CVE-2024-7029: Network Command Injection Vulnerability Without Authentication in AVTECH IP Cameras

CVE-2024-7029 allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems. AVM1203, firmware version FullImg-1023-1007-1011-1009 and prior, are affected, and other IP cameras and network video recorder products may also be affected.

Phishing Scams Identified

Cyble researchers identified nine email phishing scams this week. Below are the subject lines and deceptive email addresses used in the scams, along with a description of each.

Brute-Force Attacks

Brute-force attacks consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. A brute force attack uses the trial-and-error method to guess login info and encryption keys or to find a hidden web page. Hackers work through all possible combinations, hoping to guess correctly.

Cyble observed thousands of brute-force attacks in the last week. A close inspection of the distribution of attacked ports based on the top five attacker countries revealed that attacks originating from the United States targeted ports 3389 (60%), 445 (19%), 22 (13%), 5900 (6%), and 9200 (3%). Attacks originating from Russia targeted ports 5900 (96%), 445 (2%), 25 (1%), 3389 (1%), and 1025 (1%). Attacks originating from The Netherlands, India, and Bulgaria largely targeted ports 5900 and 445.

 Security analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

The most frequently used usernames and passwords in brute-force attacks are shown in the figure below. The analysis report indicates brute-force attacks on IT automation software and servers frequently employing usernames such as 3comcso, elasticsearch, and hadoop and database attacks as in mysql and Postgres. Some of the most common username/password combinations were “root”, “admin”, “password”, “123456”, etc. Hence, it is critically important to set up strong passwords for servers and devices, and to always change default credentials.

Cyble Recommendations

Cyble researchers offered a number of recommendations for subscribers in the report:

• Blocking the listed hashes, URLs, and email info on security systems.
• Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
• Constantly check for attackers’ ASNs and IPs in the real-time attack table.
• Block brute force attack IPs and the targeted ports listed in the IoC table in security products.
• Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.